Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1
Network Forensics and NextGeneration Internet Attacks
Moderated by: Moheeb Rajab
Background singers: Jay and Fabian
2
Agenda
Questions and Critique of Timezones paper Extensions
Network Monitoring (recap)
Post-Mortem Analysis Background and Realms Problem of Identifying Patient zero Detecting Initial hit-list
Next Generation attacks (Omitted from slides) Implications and Challenges?
3
Botnets or Worms ?!
“The authors don’t provide evidence that botnetspropagate in the same way like regular worms”
Opening Sentence:4
3
2
Malware
Botnets
Worms
4
Student questions
5
Data Collection
“The original data collection method itself is worthmentioning as a strength of this paper”
“Can’t someone who sees all the traffic intended for aC&C server do more than simply gather SYN statistics”
“It is not clear to me how do they know that theycaptured the propagation phase in their tests”
6
Measuring Botnet Size
7
SYN Counting
Only looking at the Transport Layer Do we even know what this traffic is?
DHCP’d hosts DHCP will cause SYNs coming from different
addresses.
How does the Tarpit help?
Totally unrelated traffic Scans, exploit attempts, etc.
8
Estimating botnet size
How do we quantify these effects and relatethem back to the claimed 350 K size? Are we counting wrong? If we assume DHCP lease of∆ hours, how do these projections change?
Studied 50 botnets but we have 3 data points.
Fitting the model to the collected data What parameters did they use?
9
Evidence from “Da-list”
423 ( > 4 public IRCds)Feb 1st
11:00 AM EST
449Feb,1st
4:00 AM EST
Non-DNSDNSDate and Time
10
General consensus
Contrary to authors the attackers could use thetimezones effect to their benefit How?
This is old-school, right?: Zhou et al. A first look at P2P worms: Threats and
Defenses. IPTPS, 2005. Botnet Herders can hide behind VoIP. InfoWeek, 2/27/06
Okay, this is getting ridiculous
Cherry-picking: some weird indications …
11
Extensions Can we use this idea for containment?
Query to know if someone is infected How to preserve privacy and anonymity?
See Privacy-Preserving Data Mining. R. Agrawal and R.Srikant. Proceedings of SIGMOD, 2000
Patching rates? More grounded parameters might really affect model How might we get this?
Lifetime?
12
Student Extensions
Is there better ways to track botnets other thanpoisoning DNS? Crazy idea #1: Anti-worm
Crazy idea #2: Statistical responders Better way: Weidong Cui et al. Protocol-Independent
Adaptive Relay of Application Dialog. In NDSS 2006
What would you have liked to see with this data?
13
Using telescopes fornetwork forensics
14
Infer characteristics of the attackPopulation size, demographics, distribution Infection rate, scanning behavior .. etc
Trace the attack back to its origin(s) Identifying patient zero Identifying the hit-list (if any)Reconstructing the infection tree
Forensic (Post-mortem) analysis
15
Worm Evolution Tracking Realms
Graph Reconstruction
Reverse Engineering
Timing Analysis
16
Infection Graph Reconstruction
Proposed a random walk algorithm on the hostscontact graph Provides who infected whom tree
Identifies the worm entry point(s) to a local network oradministrative domain.
Xie et al, “Worm Origin IdentificationUsing Random Moonwalks” IEEESymposium on Security and Privacy, 2005
17
Random Moonwalks A random moonwalk on the host contact graph:
Start with an arbitrarily chosen flow
Pick a next step flow randomly to walk backward in timebackward in time
Observation: epidemic attacks have a treetree structure
Initial causal flows emerge as high frequency flowsInitial causal flows emerge as high frequency flows
T
ΔtΔtΔtΔtΔt
1 11
11
1
ABCDEFGHIJ
4550
30
30
40
38
10 8
41
159
28
18
31
16
20
2
2215
2
3
8
810
9
Slide by: Ed Knightly
Bt1
C
t2
F
t3 t5
t6
D E
H
G
t4
18
Random Moonwalk (Limitations)
Host Contact graph is known. requires extensive logging of host contacts
throughout the network
Only able to reconstruct infection history on alocal scale
Careful selection of parameters to guarantee theconvergence of the algorithms How to address this is left as open problem
19
Outwitting the Witty
Exploits the structure of the random number generatorused by the worm
Careful analysis of the worm payload allows us to reconstructthe infection series
Kumar et al, “Exploiting Underlying Structurefor Detailed Reconstruction of an Internet-scale Event”, IMC 2005
20
Witty Code !
srand(seed) { X ← seed }rand() { X ← X*214013 + 2531011; return X }
main()1. srand(get_tick_count());2. for(i=0;i<20,000;i++)3. dest_ip ← rand()[0..15] || rand()[0..15]4. dest_port ← rand()[0..15]5. packetsize ← 768 + rand()[0..8]6. packetcontents ← top-of-stack7. sendto()8. if(open_physical_disk(rand()[13..15] ))9. write(rand()[0..14] || 0x4e20)10. goto 111. else goto 2
21
Witty Code!
Each Witty packet makes 4 calls to rand()
If first call to rand() returns Xi :
3. dest_ip ← (Xi)[0..15] || (XI+1)[0..15]4. dest_port ← (XI+2)[0..15]
Given top 16 bits of Xi, now brute force all possible lower 16 bits tofind which yield consistent top 16 bits for XI+1 & XI+2
⇒ Single Witty packet suffices to extract infectee’s complete PRNGstate!
22
Interesting Observations
Reveals interesting facts about 700 infectedhosts: Uptime of infected machines
Number of available disks
Bandwidth Connectivity Who-infected whom Existence of hit-list Patient zero (?)
23
Reverse Engineering (Limitations)
Not easily generalizable Needs to be done on a case by case basis
Can be tedious (go back to the paper to see).
There must be an easier way, right?
24
Timing Analysis
Uses blind analysis of inter-arrival times ata network telescope to infer the wormevolution.
Moheeb Rajab et al. “Worm EvolutionTracking via Timing Analysis”, ACMWORM 2005
25
Problem Statement and Goals
To what extent can a network monitor trace theinfection sequence back to patient zero by observingthe order of unique source contacts?
For worms that start with a hitlist, can we use networkmonitors to detect the existence of the hitlist anddetermine its size?
Consider a uniform scanning worm withscanning rate s and vulnerable populationsize V and a monitor with effective size M.
26
Evolution Sequence and “Patient Zero”
We distinguish between two processes:
Time to Infect Time elapsed before the worm infects an additional
host
Time to Detect The time interval within which a monitor can
reliably detect at least one scan from a singlenewly infected host
inT
dT
27
Time to Infect and Time to Detect
28
Time to Infect and Time to Detect
Time to infect a new host
−
−−
=
3221
1log
11log
i
iin
sn
nVT
inT
29
Monitor Accuracy
Monitor Detection time, dT
∏=
−∑
−−= =n
i
sTT
e
i
j
jindM
P1
32
1
211
Probability of error
30
andinT dT
Uniform scanning worm:s = 350 scans/sec,V = 12,000Monitor size = /8
Probability of Error
31
Infection Sequence Similarity
Sequence Similarity
( )( )( ) ( )
∑=
→−+
−=
m
i AeBe
AeAB
ii
i
rr
rmY
0 ,,
,
1
1 2 3 4 5 6 7 8 9 m-1 m
1 2 3 4 56 7 89 m-1 m
Actual (A)
Monitor (B)
32
Is this any good?
Two (interesting) cases:
Varying monitor sizes
Non-homogeneous scanning rates
33
Bigger is Better
Larger telescopes provide ahighly similar view to theactual worm evolution
/16 view is completely useless!
34
Effect of non-homogeneous scanning
Scanning rate distribution derivedfrom CAIDA’s dataset
35
So, of what good is this?
Who cares what happens after thefirst 200 infections :-)
36
Problem Statement and Goals
To what extent can a network monitor trace theinfection sequence back to patient zero by observingthe order of unique source contacts?
For worms that start with a hitlist, can we use networkmonitors to detect the existence of the hitlist anddetermine its size?
Consider a uniform scanning worm withscanning rate s and vulnerable populationsize V and a monitor with effective size M.
37
What if the worm starts with a hit-list?
Hit-lists are used to Boost initial momentum of the worm (Possibly) hide the identity of patient zero
Trick: Exploit the pattern of inter-arrival timesof unique sources contacts at the monitor toinfer the existence and the size of the hitlist
38
Hit-list detection and size estimation
Pattern Changearound the hit-list
boundariesH = 100
Estimated hit-listH aprox. 8080% in the same /1688% belong to the same institution
Witty Worm (CAIDA)Simulation ( H = 100 )
39
Will we always see this pattern?
Same pattern was noticed also when varying populationsize and with non-homogeneous scanning rates.
H=1,000
40
Why is that?
With a hit-list of size the average worminfection time should be less than
With a /8 monitor there is no h0 that can satisfy thisinequality Of course, for uniform scanning worms
0hinT
( )
( )
−
−−≤
−−
32
32
0
21log
21
1log1log1
1logMhV
α
0/ hTd